Hackers backdoored CCleaner for a month: Over 2 million infected with malware

The 32-bit version of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were infected with malware. Affected systems need to be restored to a state before Aug. 15, 2017, or reinstalled.

Chris Hoffman

Hackers backdoored the popular CCleaner Windows utility. For nearly a month, two malware-tainted versions collected computer names, IP addresses, lists of installed and active software, as well lists of network adapters before sending the data to the attacker’s server.

Cisco Talos, which discovered the malware on Sept. 13 while a customer was beta testing new exploit detection technology, warned that the tainted versions of CCleaner were being distributed for nearly a month. CCleaner 5.33 was released on Aug. 15, and a newer version without compromised code wasn’t released until Sept. 12. A cloud version released in August was similarly infected.

The backdoored version was even signed using a valid certificate issued to Piriform, which was acquired by antivirus firm Avast in July.

Cisco Talos researchers said, “It is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.”

Piriform confirmed the attack, saying Avast “determined on the 12th of September that the 32-bit version of our CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 products, which may have been used by up to 3% of our users, had been compromised in a sophisticated manner.” A non-backdoored version of CCleaner was released the same day.

As for the compromised cloud version, CCleaner Cloud v1.07.3191, which was released on Aug. 24, the company released a non-malware tainted version on Sept. 15.

Law enforcement is involved. Piriform said, “It would have been an impediment to the law enforcement agency’s investigation to have gone public with this before the server was disabled and we completed our initial assessment.”

An estimated 2.27 million systems installed the infected CCleaner

Although Avast doesn’t want users to panic, it admitted to Forbes that an estimated 2.27 million systems installed the backdoored versions.

Piriform previously claimed that there have been 2 billion total CCleaner downloads with an additional 5 million weekly installs. Cisco Talos said, “The impact of this attack could be severe given the extremely high number of systems possibly affected.”

If even a small fraction of those systems were compromised, an attacker could use them for any number of malicious purposes. Affected systems need to be restored to a state before August 15, 2017, or reinstalled. Users should also update to the latest available version of CCleaner to avoid infection. At the time of this writing that is version 5.34.

The freebie version won’t automatically update to a version without a backdoor. If you installed it, then go grab a clean version of CCleaner now if you intend to keep using the software.

CCleaner has been popular for years, trusted by tech-savvy users. Taking advantage of that trust is partially why this attack is so distressing. That and you don’t expect an antivirus firm to infect you with malware.

Cisco Talos concluded:

This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world. By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users' inherent trust in the files and web servers used to distribute updates.